Presentation is loading. Please wait.

Presentation is loading. Please wait.

Black-box analysis of malware

Published byDoris Wilson Modified over 6 years ago

Similar presentations

Presentation on theme: "Black-box analysis of malware"— Presentation transcript:

1 Black-box analysis of malware
Vít Bukač CROCS, Faculty of Informatics, Masaryk University Supervisor IT Security, CIRT, Honeywell Global Security PV204 Security Technologies

2 Black-box analysis of malware – Outline
Lecture Malware Black-box principle Tools Automatic sandbox analysis Document analysis Hands-on lab Analysis of provided malware samples

3 Malware

4 Malware types Trojan Ransomware Fake AV Sniffer Backdoor Virus
Remote Access Tool (RAT) Worm Dropper Spyware Downloader Adware Information stealer Botnet Keylogger

5 Malware infection vectors
Link Attachment Link + document download Malicious website Drive-by download USB Cracked software Worms

6 Infection vector – Phishing
Subject “Account blocked” “Package to be delivered” “Expiring subscription” “Invoice” / “Receipt” / “Parchment” Signs Unexpected sender address (1) Graphic errors (2) Erroneous info (3) Links to unexpected URL (4) Links to same URL Generic salutation Use of threats, sense of urgency

7 Infection vector – Drive-by download

8 Infection vector – USB Autoruns BadUSB (Q3 2014)

9 Example – Zeus infection

10 Malware Kill Chain Each phase requires successful previous phases
Various detection methods at each phase

11 Black box malware analysis

12 Use cases What is the scope of compromise? What are 2nd stage callbacks? Communication between local file server and an unknown IP address in China has been observed. What process is responsible for the communication? Malware is creating temporary files. Where are these files located? Malware executable is created again after system reboot. How is it possible and what is causing it? A new type of malware has been spreading through internal network. How to quickly assess the malware capabilities? What is its purpose? Is it based on any well-known tool?

13 Black box malware analysis
Dynamic analysis – file is executed Analysis without internal knowledge Observable inputs Observable outputs Quick, simple Common monitoring tools Collected indicators about Filenames, process names, process parent/child relationships, temporal relationships, domain names, IP addresses, registry keys, persistence methods, cleanup operations etc. Can be highly automated

14 Black box malware analysis – Basic
Prepare analysis environment Create snapshot Run monitoring tools Run malware Collect and observe interactions between malware and VM Restore snapshot Repeat 3-6 as needed

15 Analysis environment Virtual Machine Software Risks
Limited/no connectivity Virtualized services (DNS, HTTP,…) Several VMs for various host types Software Monitoring tools Often exploited applications Risks VM isolation breach Malware inactivity in VM

16 Virtual machine snapshot
Snapshots Saved state of VM Disk state, memory state Quick restoration of previous state

17 Tools

18 Network analysis Capturing sent/received packets Protocol dissection
Promiscuous mode Tools Tcpdump, Wireshark, NetworkMiner Indicators Domain names, IP addresses, protocols, ports, HTTP parameters Q&A Who is this program communicating with? What reputation does the partner have? What data is exchanged? Is it encrypted or obfuscated?

19 Network analysis – What to look for
New established connections – HTTP 80/8080 Direct calls for domains without DNS lookup Random domain names (e.g., rpxiodffd.biz) Suspicious domain names (e.g., gooogle.org) Similarly looking domain names (e.g., osinstall.biz, swinstall.biz, swinstall.com) Outgoing portscans Ping/DNS request for well known services Connection availability test Be aware of background OS/processes activities!

20 Example – Wireshark

21 File system Observing file accesses and modifications
Background file manipulation Tools Procmon, Handle Indicators File names, folder names, order of actions, compromise spread through local system Q&A Where is malware copied after the initial infection? What filenames are used? Where is the collected data stored?

22 File system – What to look for
New file names & folders New created files and folders Batch files (.cmd, .bat, .vbs, .ps1) Known favorite malware file names (e.g., 1.exe, test.exe, new.exe) Known file names in uncommon folders (e.g., C:\Temp\svchost.exe) Recycler Modifications of system files Temporary storage files, encrypted archives

23 Example – Procmon

24 Registry Regedit RegRipper Autoruns

25 Registry – What to look for
Well-known locations Autorun locations Task scheduler Changes tracking Keywords fulltext search Filenames Processes Domain names

26 Registry – Regedit

27 Processes Observing initial system compromise
Processes parent/child relationships Tools Process Explorer, Procmon Indicators Process names, order of execution, dropper activity Q&A What processes are run after malware binary is executed? Are batch files involved? Are there watcher processes?

28 Processes – What to look for
Order of executables Initial malware Dropper/downloader Persistence executable Final malware Command line interpreters cmd.exe Powershell Cscript, wscript

29 Example – Process Explorer

30 Executable file analysis
Cryptographic hash Hash function which is considered practically impossible to invert Unique identification of file Counter: Polymorphism MD5, SHA1 Fuzzy hash Context triggered piecewise hash Families of files ssdeep Strings

31 Example – Strings Domain name Persistence registry key
server.exe AppData 4bcce4de98bcdb4d29f66c0fe1ffe002 hackerhani.no-ip.biz Software\Microsoft\Windows\CurrentVersion\Run Software\ yy-MM-dd ??-??-?? Microsoft Windows SystemDrive netsh firewall delete allowedprogram " Software cmd.exe /c ping 0 -n 2 & del " SEE_MASK_NOZONECHECKS netsh firewall add allowedprogram " Domain name Persistence registry key Commands to be executed MD5: 5d347384ea978a96bc842ad9f29e95f2

32 Analysis

33 Black box analysis – indicator interpretation
Practical examples of indicator linkage & black box analysis mindset Best practices Network analysis – domain & IP verification, processes communicating Hash comparison Collisions, same-hash files Behavior analysis System processes, created processes, persistence File manipulation

34 Automated sandbox analysis

35 Automated sandboxing Automated Non-interactive Known tools
Execute malware in sandbox Wait a few seconds Receive summary report Investigate report Non-interactive Known tools Cuckoo, Norman, Anubis etc.

36 Cuckoo sandbox Open source malware analysis system Can analyze
Windows executables, DLLs, PDF documents, URLs, HTML files, PHP scripts, Visual Basic scripts, ZIP archives, Python files, etc. Modular, scriptable Full memory dump (for Volatility Framework) Django web interface Mongo (NoSQL) database

37 Cuckoo – Architecture

38 Cuckoo – GUI

39 Internet sandbox services
Public service OpSEC issues Huge comparison database Exact match by hash Similarity search by keywords Malwr.com (public Cuckoo sandbox) VirusTotal.com ThreatExpert.com

40 Operational security (OpSec)
Advanced attackers monitor victim’s actions Unique indicators visible on Google? Attacker host monitoring for incoming traffic Keywords search in mails, PDFs… Basics of OpSec “Think before you act” mentality Limited information sharing Trace removal PassiveTotal.org

41 OpSec – Basic rules No ping No DNS lookup
No accessing to suspicious domains No premature remediation steps (reboot, antivirus scan, OS reinstall) No upload of samples No indicator validation on external sources NOT EVEN through 3rd parties

42 Anti-sandbox techniques
Continuous development – sandbox vs. anti-sandbox Malware inactive in analysis environment Tools presence detection (Wireshark, etc.) Virtualization detection Registry (key existence, key value) File system (file existence, drivers) Processes (syscall response) Human presence detection Mouse movement Keyboard activity File artefacts

43 Document analysis

44 Document analysis – Quick insight
EXIF information File metadata Document sandboxing Document interpretation ambiguity Practical examples Double extensions, different content in different viewers, code block obfuscation & hiding

45 Lab

46 Lab – Overview Hands-on experience of manual black-box analysis
Guided analysis of selected malware samples Tools Wireshark – Network activity Process Monitor – File system activity, process creation Autoruns – Persistence Regshot – Registry changes Process explorer – Process map

47 Lab – Samples 2-3 samples from different malware families
Commodity malware – Zeus, ZeroAccess, Generic Trojans,… Students will execute samples in virtual environment Provided simple analysis virtual machine (Windows) Indicators collected – network, files, persistence Discussion about interpretation of facts Homework 2 samples for analysis independently Write a cohesive report and present key information to the reader

Download ppt "Black-box analysis of malware"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Automated Malware Analysis

Automated Malware Analysis
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail (email) Electronic Mail (email) Domain mail server collects incoming mail.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.

Similar presentations

Ads by Google